diff --git a/kdc/headers.h b/kdc/headers.h index 2240336e3..b9a828852 100644 --- a/kdc/headers.h +++ b/kdc/headers.h @@ -104,6 +104,7 @@ #ifndef NO_NTLM #include #endif +#include #include #undef ALLOC diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h index 9b291ac89..daf155839 100644 --- a/kdc/kdc_locl.h +++ b/kdc/kdc_locl.h @@ -39,7 +39,6 @@ #define __KDC_LOCL_H__ #include "headers.h" -#include "kdc.h" typedef struct pk_client_params pk_client_params; struct DigestREQ; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 355926792..6d74f32f1 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -668,11 +668,11 @@ log_as_req(krb5_context context, */ krb5_error_code -_kdc_check_flags(krb5_context context, - krb5_kdc_configuration *config, - hdb_entry_ex *client_ex, const char *client_name, - hdb_entry_ex *server_ex, const char *server_name, - krb5_boolean is_as_req) +kdc_check_flags(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, + krb5_boolean is_as_req) { if(client_ex != NULL) { hdb_entry *client = &client_ex->entry; @@ -921,7 +921,6 @@ _kdc_as_rep(krb5_context context, "AS-REQ malformed server name from %s", from); goto out; } - if(b->cname == NULL){ ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; @@ -1329,14 +1328,9 @@ _kdc_as_rep(krb5_context context, * with in a preauth mech. */ - ret = _kdc_check_flags(context, config, - client, client_name, - server, server_name, - TRUE); - if(ret) - goto out; - - ret = _kdc_windc_client_access(context, client, req, &e_data); + ret = _kdc_check_access(context, config, client, client_name, + server, server_name, + req, &e_data); if(ret) goto out; diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 3abdb18ae..59104da3d 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1860,10 +1860,10 @@ server_lookup: * Check flags */ - ret = _kdc_check_flags(context, config, - client, cpn, - server, spn, - FALSE); + ret = kdc_check_flags(context, config, + client, cpn, + server, spn, + FALSE); if(ret) goto out; diff --git a/kdc/windc.c b/kdc/windc.c index fe3cd997e..9d7fa52ce 100644 --- a/kdc/windc.c +++ b/kdc/windc.c @@ -99,12 +99,22 @@ _kdc_pac_verify(krb5_context context, } krb5_error_code -_kdc_windc_client_access(krb5_context context, - struct hdb_entry_ex *client, - KDC_REQ *req, - krb5_data *e_data) +_kdc_check_access(krb5_context context, + krb5_kdc_configuration *config, + hdb_entry_ex *client_ex, const char *client_name, + hdb_entry_ex *server_ex, const char *server_name, + KDC_REQ *req, + krb5_data *e_data) { if (windcft == NULL) - return 0; - return (windcft->client_access)(windcctx, context, client, req, e_data); + return kdc_check_flags(context, config, + client_ex, client_name, + server_ex, server_name, + req->msg_type == krb_as_req); + + return (windcft->client_access)(windcctx, + context, config, + client_ex, client_name, + server_ex, server_name, + req, e_data); } diff --git a/kdc/windc_plugin.h b/kdc/windc_plugin.h index 34016694b..c7efb7b85 100644 --- a/kdc/windc_plugin.h +++ b/kdc/windc_plugin.h @@ -64,10 +64,14 @@ typedef krb5_error_code typedef krb5_error_code (*krb5plugin_windc_client_access)( - void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *); + void *, krb5_context, + krb5_kdc_configuration *config, + hdb_entry_ex *, const char *, + hdb_entry_ex *, const char *, + KDC_REQ *, krb5_data *); -#define KRB5_WINDC_PLUGING_MINOR 3 +#define KRB5_WINDC_PLUGING_MINOR 4 typedef struct krb5plugin_windc_ftable { int minor_version;